$\begingroup$It may be my lack of expertise in InfoSec, but I suspect you are going to have to give more details about how these keys are meant to be used, and the threat models you are worried about to get a meaningful answer.$\endgroup$
– TripeHoundNov 26 '18 at 16:03

$\begingroup$I agree that the question needs more details - in the current form it is unclear what you want to know. Additionally this kind of question is more suitable for Cryptography.$\endgroup$
– Steffen UllrichNov 26 '18 at 20:30

$\begingroup$The keys are used in a wrapping chain of data encryption key in storage system. Hope that helps.$\endgroup$
– BjorstNov 27 '18 at 12:23

$\begingroup$@Bjorst Not much, really. To know whether AESkey1(key2) etc. help an adversary, we'd need to know things like what is wrapped in which key at which point, and which of those "wrapped" bits of data are might normally be exposed to an adversary, or you assume an adversary might become aware of.$\endgroup$
– TripeHoundNov 27 '18 at 16:34

2 Answers
2

AES is a block cipher with a specific block size of 128 bits and key sizes of 128, 192 and 256 bits.

Clearly, if you wrap an AES-256 bit key with AES-128 then the security of a ciphertext encrypted with the 256 bit key will not exceed 128 bits, if the wrapped key is available to an adversary anyway. We cannot break 128 bit encryption, but you could certainly argue that it is less secure than 256 bit encryption. So you should use keys with identical sizes (this is somewhat different from wrapping only one way; in that case the wrapping should be at least as large as the wrapped key).

There are also problems when you try to wrap an AES-192 or AES-256 bit key, because you cannot directly apply the 128 bit block cipher. You will need some mode-of-operation to encrypt / decrypt the keys using AES. Now you could use AES in ECB mode or CBC mode, but in that case you may be vulnerable to padding oracle attacks - depending on how and when the unwrapping is performed. With AES-256 you can simply use ECB mode without padding scheme, but for AES-192 this is not the case.

And, while we're on the subject, there are many modes of operations, each with their own peculiarities. If incorrectly applied, any kind of encryption may be vulnerable to attack. Fortunately AES keys should consist of data indistinguishable from random to an attacker. This lowers the attack potential of the adversary compared to e.g. attacking a wrapped RSA private key, where the components of the key are within a well defined structure.

As you may notice, these are all issues for wrapping keys in general. If you use a good wrapping mechanism (there are specialized ones for block ciphers), implement the scheme correctly and use AES keys with similar strength then you should be secure. It doesn't matter much that you encrypt both keys with each other - there aren't any equations that would expose the key even if $E_{K_1}(K_2)$ and $E_{K_2}(K_1)$ are given. The only thing that could be an issue is if such a scheme would require you to lower the access conditions to the keys.

If I understand you correctly, you're asking, given C1 = AESK1(P1) and C2 = AESK2(P2), whether it is possible to obtain P1 or P2 in the case where K1 = P2 and K2 = P1. The answer is no, it is not.

There are no known cryptographic attacks that are made easier by having the ciphertext of two keys that are mutually encrypting each other. Obviously, it does allow an attacker to discovery both keys after having discovered only one of them, since they would be able to decrypt the second key once they know the first. Any cipher which becomes weaker when encrypting certain kinds of plaintext (whether known plaintext, all zeros, or even a key used by another cipher) would be considered badly broken. A strong cipher like AES does not have this problem as long as the key is secret and chosen randomly.